Aliases: Win32/Wowinzi.A
Variants: W32/Wowinzi.A, Win32.Wowinzi.A

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 07 May 2008
Damage: Low

Characteristics: The W32.Wowinzi.A program could download and execute much more threat on the already infected PC. It spreads through removable media drives, network shares, and local drives. It affects Windows Operating system such as Windows 95, Windows 2000, Windows Me, Windows 98, Windows Server 2003, Windows NT, Windows Vista, and Windows XP.

More details about W32.Wowinzi.A

W32.Wowinzi.A is a worm that propagates by copying its code to mapped, fixed and removable media drives on the computer. It can also steal data and download malicious code. The worm can be downloaded from compromised sites. Once W32.Wowinzi.A is executed on your system, the worm copies itself as windows.txt and Tasks\0x01xx8p.exe on Windows Folder. It as well creates a copy of spoolsv.exe and modifies dllcache\spoolsv.exe and spoolsv.exe in the system folder. The Hacktool.Rootkit and Infostealer.Gampass file could then be dropped and executed on the compromised computer. The worm also duplicates to all removable and fixed drives as MSDOS.bat on the Drive Letter. It will then further create autorun.inf on all fixed and removable media drives in order to execute itself automatically whenever the drive is accessed. The worm also creates the registry entry to run the virus every time Windows starts.

The worm has the ability to contact a particular URL to retrieve configuration information. After this process, it copies itself to network and removable drives, download and execute the file, tries to infect executable files, gather e-mail addresses, injects malicious code to local network user pages and into Web pages on the computer and attempts to propagate through network shares.